Authorized push payment fraud, also known as APP fraud, is a type of fraud in which a bad actor tricks a victim into transferring money to a fraudulent account under their control. APP fraud has increased in the U.S. in recent years as peer-to-peer payment systems and fast bank transfers grow in popularity.
In this article, we explore APP fraud, how it works, and what businesses and individuals can do to mitigate the risk.
What Are Authorized Push Payments?
Authorized push payments are transactions in which an account holder authorizes their bank or payment provider to send, or “push,” money directly from their account to another bank account. The payer typically initiates the payment via a service such as online banking, phone banking, or peer-to-peer payment providers.
To understand authorized push payments, it’s helpful to contrast them with pull payments. While push payments involve the payer sending money from a bank account and deciding when the funds will be transferred, pull payments are initiated by the payee. In pull payment scenarios, the payee (such as a utility company or a subscription service) requests money from the payer’s account under a pre-authorized agreement.
The critical difference lies in who controls the transaction. In a push payment, control rests with the payer who determines when and how much to pay. In contrast, pull payments put the payee in the driver’s seat, allowing them to determine when to pull funds from the payer’s account. This difference in control impacts the fraud risk associated with each payment method.
What Is Authorized Push Payment Fraud?
Authorized Push Payment Fraud is a type of payment fraud wherein a criminal tricks individuals or businesses into making a push payment to a malicious account. A push payment scam often involves the bad actor impersonating a trusted entity, such as a bank, a service provider, or a business associate to manipulate the victim into authorizing a payment under false pretenses.
APP Scams vs. Credit Card Fraud
Comparing push payments with credit card payments demonstrates how push payments increase risk to consumers, businesses, and financial institutions. The differences influence the methods criminals can use and the fraud prevention techniques available to banks and payment providers.
A credit card transaction involves the following steps:
- Authorization: The cardholder provides their card details to the merchant, authorizing them to request a payment.
- Authentication: The card issuer verifies the cardholder’s details and checks whether sufficient credit is available.
- Transaction Approval: If the authentication is successful, the card issuer approves the transaction, and the merchant can complete the sale.
- Settlement: The issuer transfers funds to the merchant’s bank, and the transaction amount is deducted from the cardholder’s credit limit.
It’s important to note that money is not sent from the cardholder’s bank to the merchant. The card issuer makes the payment to the merchant, and at a later date, the cardholder transfers money to the issuer.
This process allows credit card issuers to revoke or dispute a payment. If a cardholder identifies an unauthorized or fraudulent transaction on their statement, they can file a dispute with their credit card company, which can initiate a chargeback process, reversing the transaction and refunding the money to the cardholder.
Push payments follow a different process:
- Payment Initiation: The payer decides to make a payment and initiates the transaction via their bank or a payment platform.
- Payment Authorization: The payer provides the recipient’s bank details and authorizes the funds transfer.
- Transaction Execution: The payer’s bank transfers the funds to the recipient’s account.
- Confirmation: The payer and recipient receive a confirmation that the transaction has been completed.
A consequence of the push payment process is that they cannot be easily revoked once executed. Since the payer authorizes the payment, the bank assumes the transaction is legitimate and completes it immediately. Once the money has reached the recipient’s account, it’s not usually possible to reverse the transaction, particularly if the recipient quickly withdraws or transfers the funds.
These differences in transaction processes lead to distinct fraud risks. In credit card fraud, bad actors steal card details and use them to make unauthorized purchases. Security measures such as encryption, two-factor authentication, and fraud monitoring systems are employed to counter these threats.
In contrast, authorized push payment fraud hinges on social engineering and deception. Bad actors trick payers into authorizing payments to accounts they control. As the payer initiates and authorizes the transaction, traditional fraud detection systems may not flag it as suspicious, making APP fraud harder to prevent and detect.
Types of Authorized Push Payment Fraud
Push payment fraud can manifest in various ways, each presenting unique challenges for detection and prevention. The common thread across all types is the fraudulent manipulation of the victim into authorizing a payment to an account the scammer controls.
However, the methods and narratives used, such as the ones listed here, are tailored to exploit specific vulnerabilities and circumstances:
- Purchase Scams: The victim pays in advance for goods or services that do not exist. A dishonest individual advertises products or services at a reduced price to lure potential victims. The bad actor disappears once the payment is made, and the promised goods or services are never delivered.
- Advance Fee Scams: Fraud victims are asked to pay a fee to access a service or prize, which never materializes. For example, a confidence trickster may impersonate a lottery organization or loan company, promising large sums of money or high-value prizes once an administrative fee is paid. When the payment is made, the promised reward never comes.
- CEO Fraud: Also known as Business Email Compromise (BEC), this type of fraud involves impersonating a senior executive and persuading an employee to make a payment for business purposes. Criminals can extract hasty payments without proper verification by exploiting the trust and authority associated with the executive’s position.
- Investment Scams: Frauds of this kind trick the victim into making an investment that does not exist. The scammer might present a “too good to be true” investment opportunity promising high returns. The victim, enticed by the potential gains, transfers money to the scammer’s account, only to discover the investment was fictitious.
- Romance Scams: The scammer pretends to be in a romantic relationship with the victim. They manipulate the bond to convince the victim to transfer money to, for example, pay for a medical emergency or travel expenses. Once the money is sent, the romantic partner disappears.
- Invoice Fraud: The scammer pretends to be a supplier or service provider and sends fake invoices to the business. The invoice might request payment for goods or services that were never delivered or significantly overstate the cost of actual deliveries. Alternatively, an invoice fraud scam might intercept a genuine invoice and alter the bank account details, causing the business to unknowingly make a payment to a fraudulent account instead of the actual supplier.
Mitigating APP Fraud Risks
Mitigating the risks of authorized push payment fraud requires a combination of technological solutions, educational initiatives, and robust operational controls. Here are some key strategies businesses can use to reduce fraud risk and protect customers:
- Customer Education: Inform customers about the nature of APP fraud, how to recognize potential scams, and how to protect themselves. Provide clear guidelines on secure transaction practices, issue alerts about common scams, and encourage customers to verify payment details before authorizing transactions.
- Transaction Monitoring: Monitor transaction patterns to identify unusual activity that could indicate fraud. Automated transaction monitoring systems can flag suspicious transactions involving large sums, frequent transactions, transactions to new payees, and transaction patterns that match known fraud risks.
- Transaction Delays: Introduce time delays for high-value or unusual transactions to provide a window for additional checks. The delay gives the company and the customer time to detect and respond to potential fraud before transferring funds.
- Confirmation of Payee (CoP): Implement CoP systems that compare the recipient’s name against account details, ensuring that the right person is paid. This system can prevent payments to fraudsters’ accounts and alert customers when the account details do not match the entered name.
- Account Takeover Fraud Prevention: Account Takeover (ATO) fraud is often a precursor to APP fraud. An ATO prevention solution quickly detects and responds to potential account takeovers, preventing bad actors from initiating fraudulent transactions.
- Continuous Controls Monitoring (CCM): A CCM solution monitors business Accounts Payable, payroll, and vendor management systems to identify anomalies that may indicate fraud and non-compliance with payment and procurement policies.
Authorized push payment fraud is a significant threat in today’s digital payments landscape. However, with customer education, advanced fraud detection systems, robust transaction monitoring, and proactive account takeover prevention measures, it can significantly reduce the risk.
The Alessa platform provides fraud management and anti-money laundering solutions that help businesses and financial institutions reduce fraud and compliance risks. Get in touch today for a free demonstration.